--

NAT and PAT – Part 4 (A New Perspective)

Many people are confused by Cisco’s NAT/PAT naming conventions, such as “inside local”, etc. Since a picture is worth a kiloword, I thought that perhaps a few diagrams might help.

Let’s say that our host H1 has IP address 10.1.1.1/24, an RFC 1918 private address. We want to cross the Internet to access host H2, which has the public IP address 198.133.219.25, as shown in Figure 1:

Because we can’t advertise RFC 1918 addresses to the public Internet, in order to make this work we’re going to perform PAT (overloading) on R1, our edge router. Let’s assume that our internal LAN, with address space 10.1.1.0/24, is connected to R1’s Ethernet 0 interface. We’ll be overloading on Serial 0, which has the IP address 64.82.100.67, in public space. To accomplish the translation, the commands would be:

R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255

R1(config)#ip nat inside source list 1interface serial 0 overload

R1(config)#int e0

R1(config-if)#ip nat inside

R1(config-if)#int s0

R1(config-if)#ip nat outside

Figure 2 summarizes the situation at this point:

Inside and Outside: These refer to the physical location of the device whose address is being referenced. The physical locations were unambiguously defined by configuring the appropriate router interfaces with these commands:

ip nat inside

ip nat outside

In our example, R1 is doing the translation, with the “inside” interface attached to our LAN, and the “outside” interface on the WAN link to our service provider.

Key point: Because of the way we have configured R1’s interfaces, “inside” is defined to mean “located on our side of R1”, and “outside” means “located on the far side of R1”.

Local and Global: These refer to the perspective (viewpoint) from which the address is being observed, not where the device is located.

Key point: In our example, “local” is defined to mean “looking at it from our side of R1”, and “global” means “looking at it from the far side of R1”.

Yeah, yeah…but what about “inside local”? The key to the jargon is to realize that it describes what we’re looking at, and from wherein that order. It’s location-perspective. In other words, “inside local” means that we’re looking at the address of an “inside” device (on our side of our router), from our “local” perspective (from our side of our router). Given the two locations (inside and outside), and the two perspectives (local and global), there are four possibilities:

Inside Local

Inside Global

Outside Local

Outside Global

We’ll discuss each of these in turn. Since humans can’t actually see the packets as they traverse the media, by “looking” we mean what we would “see” if we were to install protocol analyzers “locally” and “globally”, and examine the addresses within the packets’ IP headers. Since I can’t draw a protocol analyzer, in the diagrams I’ll use an “X-ray eyeball” that’s able to see the packet headers.

Inside Local: Viewing an “inside” device from the “local” perspective, as shown in Figure 3. This is how we see the IP address of H1 from our side of R1. In our example, the “inside local” address is 10.1.1.1, which is the actual address of H1.

Inside Global: Viewing an “inside” device from the “global” perspective, as shown in Figure 4. This is how the Internet sees the IP address of H1. In our example, the “inside global” address is 64.82.100.67, the translated address of H1.

Outside Local: Viewing an “outside” device from the “local” perspective, as shown in Figure 5. This is how H1 sees the IP address of H2. In our example, the “outside local” address is 198.133.219.25, which is not being translated.

Outside Global: Viewing an “outside” device from the “global” perspective, as shown in Figure 6. This is how the Internet sees the IP address of H2. In our example, the “outside global” address is 198.133.219.25, which is H2’s actual address.

Since in our example we’re not translating the destination address on the way out (nor the source address on the way back), the “outside local” and “outside global” addresses are identical. Figure 7 shows our current situation, including the four combinations of location and perspective, along with the corresponding addresses.

Key point: It’s possible that NAT/PAT is also being done on H2’s side, but there is no way we can tell that from our side. If so, they would have their own versions of inside/ outside and local/global that have nothing whatsoever to do with ours.

No matter what terms Cisco chose to use, it would boil down to the same location-perspective issue. So it is what it is, and that’s “what we’re looking at, and from where”.

And, yes, I still often put my fingers on the diagram and talk to myself when figuring this stuff out. “Inside global…so we’re talking about the inside stuff” while my left hand is pointing to the LAN…“from the global perspective” …my right hand is pointing to the Internet, and sliding from right to left to show the direction I’m looking.

By the way, although we used PAT (overloading) in our example, the “location-perspective” terms work the same way for static and dynamic NAT.

RELATED ARTICLES

Dynamic NAT, which could allow several hosts to use the same public IP address at different times of the day, still translates on a “one-to-one” address basis. That is, each inside local address (usually private) being actively translated requires one global address (usually public). In PAT (Port Address Translation, also known as “overloading”), many inside …
Read More

In Part 1 of this series, we discussed static NAT. While static NAT works, since it uses manually constructed “one-to-one” translations, it’s not scalable. For example, translating all of the legal host addresses on the 10.1.2.0/24 subnet would require 254 lines. And if we were dealing with the entire 10.0.0.0/8 network, covering all possible addresses …
Read More

When sending data end-to-end through a network, routers are used in internetworking to create a virtual network from one device to another, either locally or globally. Routers are configured to...

CONNECT WITH US

CATEGORIES

Global Knowledge is the worldwide leader in IT training and learning services. We empower organizations, teams and individuals with the skills and best practices necessary to leverage the technologies and competencies critical for sustained success. With over 15 corporate offices around the world, our 1,500 employees are helping clients succeed in over 100 countries. Learn more at www.globalknowledge.com.